I have decided that SandDiff will not be used to compare two sandbox states. I have decided this because I can not garantee accurate results comparing two sandboxes and because the goal of SandDiff will be to act like a malware analyzer.

So next version of SandDiff will show only the modifications (file, registry and port) made to system. I think I can garantee accurate results doing that.

Sad to hear. I liked the direction this was going. It was very easy to use and fast. So now when you say 'modifications made to system', what do you mean exactly? It won't work at all with Sandboxie now, or it's just testing for leaks to the real system?

wraithdu wrote:I see. So it will function basically the same, we just have to start with an empty sandbox instead of a box that already has something in it. That's cool, that's primarily how I would use it anyway.

Yes, it´s like you say: it will function basically the same and you will start with an empty sandbox instead of a box that already has something in it.

I decided this change because like you, I think most people will use it that way anyway.

With this change comparisions will be more accurate so I will be able to accomplish the final goal of the tool much better. The final goal is converting SandDiff in a sandbox analyzer.

Also I plan renaming the tool so people don´t confuse SandDiff with SandboxDiff.